Feedback Friday: JPMorgan Targeted in Alleged Russian Cyberattack – Industry Reactions

Federal authorities in the United States are investigating reports of cyberattacks launched against JPMorgan Chase and at least one other unnamed financial institution.

Feedback Friday

The attackers, presumably located in Russia, are said to have stolen large amounts of sensitive data from the systems of the targeted organizations. The level of sophistication indicates that the cyberattacks could be the work of a foreign government, and the FBI is reportedly trying to determine if the incidents are a form of retaliation for the sanctions against Russia over its support of rebels in Ukraine.

Some security experts have pointed out that banks are not spending enough on security, while others note that banks are fairly good at protecting themselves, but apparently not good enough. While some say it’s too early to start pointing the finger at Russia, the representatives of some security companies believe past attacks might provide some indication as to how this operation was carried out.

And the Feedback Begins…

Vinnie Liu, partner at security consultancy Bishop Fox:

“Attribution on the Internet is a hard problem – determining the source of an attack is often a combination of art and science. Without much harder evidence than what’s available, we cannot say for certain whether the attacks were Russian in origin. It  wouldn’t be out of the question for hackers to use the political turmoil as a cover for part of a false flag operation.

Financial institutions are attacked because they’re attractive, high profile targets for political messages. They represent in many ways the economic power, financial stability, and global standing of the US itself. Attacking a TJ Maxx to send a political message wouldn’t have the same impact as JP Morgan Chase.

Up to this point, politically-motivated hacks have manifested themselves as defacement or denial-of-service attacks, often in response to economic sanctions (e.g. Iran). So if this incident were state-sponsored, as some have suggested, it would not be the first time that the Russian government has used cyber warfare as an extension of their political will. Examples include Estonia and Georgia. But what’s unusual, if it were politically motivated, is that the hackers tried to avoid detection. This could mean that their motivation was not in fact political and more likely financial.

An alternative theory suggests that the attackers have evolved beyond the ‘hit-and-run’ tactics of the past into a more strategic long-game. This means that the hackers intended to maintain access to these systems and continue to operate behind the scenes. In essence, continued operations or information warfare. If they were successful in maintaining this long term access, they would be able to sow chaos within the banks by impersonating real customers and employees while behaving badly – fake transfers, incorrect ledgers, missing money, and so forth. This would have the much greater impact of damaging the institutions reputation and perceived stability.”

 

Dana Wolf, Sr. Director of Products at OpenDNS:

“This latest attack against the financial services industry demonstrates the need for the security industry to focus on the infrastructure being used to carry out targeted attacks. While defense mechanisms that look for malware, Trojans, etc. are necessary, they often cannot detect sophisticated attacks until after a data breach has occurred.

A new approach is needed to fight these attacks: one that examines a cross-section of the Internet’s global traffic to discover relationships between attackers’ infrastructure. This ‘satellite-view’ model of security can not only provide an early-warning system for APT attacks that are underway, but it can identify threats before an attack happens by identifying newly created malicious infrastructure.”

Rob Sadowski, Director of Technology Solutions for RSA:

“The financial sector has always been among the most frequently targeted industries for cyber attacks because of the clear potential for financial gain. As a result, banks have developed some of most resilient defenses and are generally among the most prepared institutions for dealing with all manner of cyber criminals, both sophisticated and unsophisticated. However, as has been proven time and again, no defense can be 100 percent effective. That’s why, in addition to a strong defensive posture, organizations also need to be practiced and proficient at incident response.

 

“While ‘naming names’ is an interesting intellectual and political exercise, the truth is that attribution is rarely, if ever, certain, and also somewhat irrelevant to the victim. Regardless of who the perpetrators ultimately are in this case, the reality is that there are a huge variety of actors trying to use cyberattacks to accomplish their goals, and that has increased and evolved over time.”

Paul Lipman, CEO of iSheriff:

“The breach of JPMorgan Chase, the largest bank in the US by asset size, is yet another in a series of recent cyber-attacks in which hackers have taken advantage of weak links in security posture. In the case of the attack on Target late last year, cyber-criminals made their way in through an extranet used by a small supplier.

 

Although the investigation is still in its early stages, it appears that this attack against JPMorgan happened through an employee’s personal computer that had been infected with malware while the device was off-site. Once that computer was brought back into the office, effectively behind JPMorgan’s line of cyber-defense, the malware was able to permeate the network, identifying and then exfiltrating sensitive customer data.”

David Amsler, President and CIO at Foreground Security:

“This isn’t much different than the Cold War era build-up of military arms and specifically nuclear arms. We are in an era of an aggressive and blatant ‘cyber arms race’ and continuous attacks, but the only difference is the cost of entry is so low that any group or nation state can enter.”

Tal Klein, VP of strategy and marketing for Adallom:

“We need to focus on cause not culprit. Russia or China are merely scapegoats for poor operational security exhibited by organizations and companies that we entrust with our personal information and money.”

 

Vijay Basani, CEO of EiQ Networks:

“We have seen large number of regional financial institutions (banks, credit unions, etc) believing that just implementing a Firewall, or AV will protect them against targeted attacks. Majority of them don’t have continuous auditing of security controls, don’t have true 24x7x365 security monitoring and don’t have IT staff with sufficient security knowledge. As a result they are all exposed to modern day cyber attacks. Fortunately there are affordable services available for these institutions if the senior management gets serious about security and provided proper funding and support.”

Vince Arneja, Vice President of Product Management at Arxan Technologies:

“For the most part, banks have been proactive and successful in defending against persistent attacks. However, given the dynamic approaches that hackers are using to launch attacks, hackers are on occasion successfully penetrating existing defenses. In this ongoing battle against sophisticated hackers, banks need to continue their investment in new security approaches in order to defend against new threats.

A holistic approach is needed that addresses network, endpoint as well as application security. The application layer provides the last perimeter of defense and application protection can be deployed across all platforms including server and client software, which is now being extended to mobile endpoints. With an approach that provides incremental application and data protection, the hackers are kept further at bay from realizing any gains that would have resulted from a successful network breach as sensitive data will be more difficult to decipher.”

James Christiansen, vice president, information risk management and member of Accuvant’s Office of the CISO:

“Most of major industries are under increased attack. For example, healthcare has experienced more breaches in the last 12 months than ever before, and hi-tech companies are dead center in the attackers’ scope. The banking industry has faced continuous attacks for decades, as attackers continue to try every avenue to penetrate systems and obtain financial data. What has changed is the method of attacks – now slow and quiet, they are more difficult to detect and therefore allow the attacker time to determine the ultimate harm/value.

We have to protect against thousands of possible entry points and attack methods, and the attacker only needs to find one vulnerability, making it an uneven playing field. The reality of the situation is that we are engaged in a cyberwar, and we cannot win with the old tactics. It is time to rethink the traditional defense in-depth strategy and move towards a holistic security strategy that includes increased visibility into and predictability of the attackers’ actions.”

Mark Stanislav, Security Evangelist at Duo Security:

“If there’s a determination that a specific vulnerability led to the successful compromise of these firms, that insight needs to be disseminated as soon as possible to have not only financial organizations firm-up their security, but the general business population.

There’s certainly a possibility this was all executed through spear-phishing campaigns for unpatched vulnerabilities that commonly impact the security of web browsers, office suites and other client-facing software. While it seems hard to believe, large organizations can be breached through something as simple as a well targeted e-mail to steal credentials or otherwise impact operational security.” 

Aviv Raff, Seculert CTO and Chief Researcher:

“While the motivation behind the attack against JPMorgan Chase is still unknown, it is known that gigabytes of sensitive data have been stolen by the attackers. Much like the Target breach, where over 11 gigabytes* of private data was stolen, the JPMorgan breach shows again that there is no way to 100% prevent an attack. It’s up to the enterprise to use the best tools to detect the compromised devices as soon as possible, before the data is stolen and the incident becomes a breach.”

Philip Casesa, Director of IT/Service Operations at (ISC)2:

“Corporations are quietly (or in some cases not so quietly) engaged in asymmetric warfare with nation-states. Prior to the NSA revelations, we were led to believe that it was all China, Russia, and Iran attacking the United States unprovoked. Since we now understand that isn’t true, we come to the realization that cyberattacks are now a weapon for all or most governments, and wielded for political reasons to inflict damage on economies and intellectual property.

Whether this particular attack on JP Morgan Chase is government sponsored or not, the reality is that businesses and citizens will ultimately pay the price of cyber war amongst feuding governments. This just adds to the threat landscape that organizations face with hacktivists, financially-motivated hackers, and now governments engaging in posturing, spying, or influence of economic events. “

Tom Kellermann, chief cybersecurity officer, Trend Micro:

“Attackers see financial institutions and organizations as an opportunity to not just steal money, but as a way to take down iconic American businesses. Geopolitics are now harbingers of cyber attacks. Economic sanctions can and will be met by cyber sanctions, a new type of retaliation in today’s digital world. These attacks are the result of an escalating cyber crime-wave that began in late July and clearly demonstrate the high level of skill which organizations and enterprises are up against.”

 

 Lamar Bailey, director of security research and development at Tripwire: 

“Details about the theft of checking and savings account information connected with this breach are still vague at this point, but this is a much larger problem for customers than credit card breaches.

With correct account information criminals can initiate wire transfers that completely clean out accounts; the bad news is that wire transfer consumer protection is not as favorable for consumers as credit card protections. For example, financial institutions can take up to 90 days to investigate and rule on wire transfer disputes.

Hackers can also use account information to print blank checks and use them at brick and mortar retail locations using any legitimate check printing software. Consumers can disallow wire transfers from their accounts but the only way to protect against fraudulent checks it to change your account number. And, even if you take this step some financial institutions will still process ‘old’ checks during  a grace period.”

Carl Herberger, VP of Security Solutions at Radware:

“In the world of globalization, we will continue to see that for every real world government action, there will be a cyber reaction – one can speculate that sanctions from the United States on Russia led to attacks on financial institutions like JPMorgan by Russian hackers. This is the latest example of this trend and isn’t just a problem for Washington. We’ve seen this around the world, for example during the Arab Spring and ongoing Syrian rebellion. All governments need to understand that their actions can and will cause these cyber reactions.

While companies and institutions cannot predict how these political actions will impact their organizations, this shows the importance of having staff trained on the latest cyber-security risks, as well as participation in information-sharing organizations that can turn threats into actionable intel. We recommend that all financial services companies exercise extreme care with their security postures over the near term.”

Greg Kazmierczak, CTO, Wave Systems Corp:


“The Russians performed a zero-day attack to gain initial access to the network. By definition, this means they leveraged a vulnerability, or flaw, that was previously unknown. There is no such thing as fool-proof security; especially when the attacker is a well-funded, highly-skilled, and highly motivated nation-state.”

 

 Mike Lloyd, CTO at RedSeal Networks:

“The recent breach at JPMorgan Chase (and at least one other unnamed bank) is a sign of the increasing sophistication of both attackers and defenders in the ongoing war in cyberspace. As JPMC confirmed, they regularly face attacks – at least ‘daily,’ according to a spokesperson – but they seldom lose, because they have built up complex defenses. However, complex defenses get harder and harder to manage and coordinate as you increase in scale – bigger organizations suffer more problems of this sort.

 As attackers get ever more sophisticated, defenders need to ‘war-game’ continuously just to make sure their complex infrastructure hasn’t opened up a new hole. The next stage in the arms race, for both attackers and defenders, is automation – not just searching for gaps, but figuring out the consequences of those gaps, in much the same way that generals study a battlefield before the battle starts.”

Bob Stratton, general partner of cybersecurity accelerator MACH37 and member of the Black Hat Review Board: 

“I think it is early to be jumping to conclusions about the attribution for an attack like this. The trickiest part of defending networks in the modern age is determining the actual, rather than the apparent source of an attack. It will take time to forensically sort this out. While undoubtedly frustrating to those trying to cover the story in the present moment, network attacks, like airplane crashes, can take a while for proper investigation and attribution.

There are several factors to remember together. It is risky to think about any one of these without the others:

·      

The fact that an attack comes from someone’s networks does NOT automatically imply that that someone is the attacker.

·      

It appears that Russia has used attacks on a target’s networks in the early stages of military action. (It isn’t clear this is relevant here. I don’t anticipate an invasion of Manhattan anytime soon.)

·      

Many of the most recent denial-of-service attacks against U.S. financial institutions have been originated by Middle Eastern actors, which makes me doubly wary about leaping to conclusions about who might be responsible in this case.

·      

There is a tradition by several nation-states of loosely directing groups of private (individual) actors to conduct attacks. This allows for deniability of anything occurring within the context of a chain of command. It also allows those ‘independent’ attackers to use whatever intermediaries they wish as ‘stepping stones’ along the networks that connect to their targets.”

Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs:

“The information stolen from J.P. Morgan & Co has been reported through various sources as being caused by a Zero Day exploit utilized against an internet facing system or the exploitation of an unsecured employee to gain access to a secured network via a virtual private network.  Either way, these are two of the biggest issues that organizations, be it corporate or government, face today when it comes to cyber security.

Attackers know that directly attacking security systems is never a smart move considering the current security stance most organizations take, however utilizing the ‘weak link’ or employees who fail to follow common security practices and are given too much access to secure systems allows attackers to basically detour the defenses put in place and instead navigate with little to no resistance.

Utilization of Zero Day exploits has been seen in use with watering hole attacks, an attack that compromises web sites commonly visited by targets and exploits them when they visit, and can be a possible method of infection for the compromised employee. This method was used not too long ago against Apple employees, presumably by Chinese state-sponsored attackers.”

 

Eric Chiu, president & co-founder of HyTrust:

“The potential breach at JPMC is scary given that it is one of the largest banks with high levels of security. Breaches are happening almost daily with recent headlines at Community Health, eBay, Target, Michael’s Stores and many others. This highlights the fact that outside attackers are sophisticated and well -funded, and that every organization is a target for breach. It’s also is a wake-up call that companies need to make security a priority in order to protect their most sensitive data. In addition, companies really need to think about an ‘inside-out’ model of security and assume the bad guys are already on the network.”

 

Lancope, CTO, TK Keanini:

“It is no longer a game of not being infiltrated, it is a game of detecting them and shutting them down before they can exfiltrate or advanced their operations.  You can make same analogy with physical bank robbery: it is not about breaking into the bank, it is about getting out and being able to spend the loot without being detected.   

Financial institutions like JP Morgan have a readiness for these types of incidents that are the best in the industry.  The fact that business continuity was not an issue and that they are working with law enforcement  to catch the crooks is exactly the pattern you want to see.  This is what good incident response looks like from the outside.  Depending on how the investigation plays out, we may or may not get more details but we will have to wait and see.

The pattern here is state of the art and will repeat itself until it is no longer effective for the attackers.  Once these attackers have credentials to internal systems, they no longer set of traditional security alarms because these detection methods are watching for bad things to happen and for weeks and months, they just operate as that user and no violations are triggered.  The solution is to employ complementary forms of detection like anomaly detection methods that can detect when this users behavior has changed significantly or suspicious connections are made.”

Eyal Firstenberg, vice president of cyber research at LightCyber:

 “Attackers that go after a bank like JPMorgan, with or without sanction from a nation-state, are determined. The choice of target might have been be opportunistic, but once it’s chosen, the attackers are focused on that target. Once that happen the battles start. This entails that the bigger an organization’s list of attackers, the more frequently one of them will succeed.

What governs the size of potential attackers? Evidence suggest that the most governing factors are how easy it is to monetize that organization’s loot, along with how tough it is to breach that organization. Banks records PII are easily monetized, so they make lucrative targets. What about toughness, aren’t banks like JPMorgan tough enough to discourage attackers from even starting? No, far from it. These are not kids sitting in their parent’s garage doing something looking for excitement during their summer break. These are professional, working in multi-disciplinary teams, and have the discipline to persevere and work hard to get to quality loot.”

Until Next Friday…Have a Great Weekend!

Previous Columns by Eduard Kovacs:

97,000 Bugzilla Testers’ Data Dumped on Public Server

Mozilla is warning users who have contributed to testing builds of the online bug-tracking tool Bugzilla that their email addresses and encrypted passwords were publicly available for a period of three months.

The information of 97,000 users who had created test installations on landfill.bugzilla.org were inadvertently posted to a public Web server on May 4, when the server for test builds was migrated. The leak was discovered by a Bugzilla developer.

“As soon as we became aware, the database dump files were removed from the server immediately, and we’ve modified the testing process to not require database dumps,” Mark Côté, assistant project lead at Bugzilla, noted in a blog post.

“Generally, developers who use our test builds have told us they understand that these builds are insecure and may break, so they do not use passwords they would reuse elsewhere,” Côté said.

However, as a precaution, passwords on all test systems have been reset. Users will be required to set new ones next time they access Bugzilla test systems. Users of bugzilla.mozilla.org are not affected by the incident, unless they have used the same password as on landfill.bugzilla.org,  Côté clarified.

A note posted on the Landfill website instructs users not to enter any information that is considered private or sensitive because the site is for testing and demonstration purposes.

This isn’t the first time Mozilla accidentally leaks user data. On August 1, the company revealed that a botched data sanitization process of the Mozilla Developer Network (MDN) database resulted in the email addresses of 76,000 users and the encrypted passwords of 4,000 users being posted to a publicly accessible server. 

The data was available for 30 days, but it was reportedly downloaded only by a small number of users, most of which were known contributors.

“The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems,” Stormy Peters, Director of Developer Relations at Mozilla, said at the time.

 

Previous Columns by Eduard Kovacs:

Many Wi-Fi Connections in Brazil Vulnerable to MitM Attacks: Researcher

A large number of the wireless Internet connections in Brazil are exposed to man-in-the-middle (MitM) attacks because they’re not secured properly, a researcher has warned.

André Luis Pereira dos Santos conducted experiments to determine how difficult it would be for an attacker to hijack Wi-Fi connections and capture users’ data. The problem, according to the expert, is that the routers provided by many Brazilian Internet service providers (ISPs) to customers use MAC address authentication, instead of wireless security protocols like WEP or WPA.

A report provided by the researcher to SecurityWeek shows that three main elements have been used in the experiments: a DD-WRT wireless access point (AP), a high-gain omnidirectional antenna, and a physical or virtual server with proxy/MitM software installed on it.

Brazil InternetBy configuring the AP with the same service set identification (SSID) and basic service set identification (BSSID) as the targeted AP, an attacker can intercept both SSL and non-SSL traffic within the antenna’s range by using open-source proxy software such as mitmproxy. As an evasion tactic, the attacker can drive around in a car while capturing data, Pereira dos Santos noted.

“The AP is connected to a server running the transparent proxy with a stack to make the MitM  (mitmproxy). The proxy will receive the connection form AP, log all traffic to port 80 (HTTP) and if the connection go to port 443 (SSL) the proxy will make the MITM attack (forging a certificate, open the stream, log all stream, make a connection to destination with true certificate and send the stream to destiny),” the researcher explained in his report.

In the case of SSL connections, potential victims are presented with a Web browser alert when the attacker attempts to intercept their traffic, but the expert believes at least half of users ignore these types of warnings.

Cybercriminals can leverage the lack of security to steal personal and financial data, and even to blackmail their victims. In addition to stealing intercepted data, an attacker can also modify HTTP requests and responses on the fly to inject malware, the researcher said.

In the first half of 2014, the expert conducted tests on the wireless connections of 420 companies in 552 locations all over Brazil. Pereira dos Santos found that 37% of Wi-Fi connections are vulnerable to such attacks. He believes the situation could be similar in other countries as well.

The researcher told SecurityWeek that he conducted tests both in a laboratory environment, and in the wild with the aid of numerous friends. A car has been used to test the mobility aspect of the attack.

Around one third of the affected ISPs have been notified, but Pereira dos Santos says it’s impossible to reach out to all companies considering that many of them are small and highly distributed. While some of the affected services providers have promised to notify their tech departments of the problem, others have denied that an issue exists.

Previous Columns by Eduard Kovacs: